Link to home
Start Free TrialLog in
Avatar of shoris
shoris

asked on

Windows 2008 R2 Event Log

2008 R2 64bit

I am in the process of defining a GPO on the default Domain controllers policy and I had enabled the following for audits:
1) Audit Logon Events (S/F) = Success and Failure
2) Account Management
3) Directory Service Access
4) Policy Change

I used best practice from MS to set the Max size for application, security and systems to 4194240 kb.

Now moving to the Retain and Retention, can anyone guide me on what would be best definied. I want to have the event there at least up to 90 days.
ASKER CERTIFIED SOLUTION
Avatar of page1985
page1985
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It would be a tricky answer. I would suggest you to plan for automatic archiving of eventlogs after certain number of days.
http://www.petri.co.il/event_logs_archiving_with_gpo.htm

Also there is another thread going on a similar topic. You can read it as well.

https://www.experts-exchange.com/questions/27847609/Retention-of-Windows-server-event-logs-Precedence-of-Windows-2008-settings.html
Avatar of shoris
shoris

ASKER

Thank you. So since I set it at 4gb and appled the retention override as needed, does that mean that if the log fills to 4gb then the retention will kick in and clear it. This way I don't have to clear it myself or risk of logs filled before any user can't login.
It will not clear the entire log.  It will "roll" the log, which means when you reach the 4GB mark, it will continue logging by replacing the oldest entry in the log first.  So if you write 5 entries, the oldest 5 entries will be lost.  Thereby we maintain the 4GB file size and still continue logging.
Avatar of shoris

ASKER

Thankyou so much for the explaination. Excellent. that works out.